Permissions for @turbot/aws-iam

Taking a look at permissions and associated grant levels for each permission for IAM:

Permission	Grant Level	Help
access-analyzer:ApplyArchiveRule	Owner
access-analyzer:CancelPolicyGeneration	Owner
access-analyzer:CreateAccessPreview	Owner
access-analyzer:CreateAnalyzer	Owner
access-analyzer:CreateArchiveRule	Owner
access-analyzer:DeleteAnalyzer	Owner
access-analyzer:DeleteArchiveRule	Owner
access-analyzer:GetAccessPreview	Metadata
access-analyzer:GetAnalyzedResource	Metadata
access-analyzer:GetAnalyzer	Metadata
access-analyzer:GetArchiveRule	Metadata
access-analyzer:GetFinding	Metadata
access-analyzer:GetGeneratedPolicy	Metadata
access-analyzer:ListAccessPreviewFindings	Metadata
access-analyzer:ListAccessPreviews	Metadata
access-analyzer:ListAnalyzedResources	Metadata
access-analyzer:ListAnalyzers	Metadata
access-analyzer:ListArchiveRules	Metadata
access-analyzer:ListFindings	Metadata
access-analyzer:ListPolicyGenerations	Metadata
access-analyzer:ListTagsForResource	Metadata
access-analyzer:StartPolicyGeneration	Owner
access-analyzer:StartResourceScan	Owner
access-analyzer:TagResource	Operator
access-analyzer:UntagResource	Operator
access-analyzer:UpdateArchiveRule	Owner
access-analyzer:UpdateFindings	Owner
access-analyzer:ValidatePolicy	Operator
iam:AddClientIDToOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:AddRoleToInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AddUserToGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AttachUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:ChangePassword	None	Users are not allowed to change their own password. Owners may change passwords for users through *LoginProfile permissions.
iam:CreateAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateAccountAlias	Owner	Owners can manage the AWS account alias.
iam:CreateGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:CreateInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:CreateLoginProfile	Whitelist	Optionally Owners can create passwords for custom users. Management of Guardrails users is explicitly denied.
iam:CreateOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:CreatePolicy	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreatePolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreateRole	Owner	Owners can create custom roles.
iam:CreateSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:CreateServiceLinkedRole	Owner	Owner can manage service-linked roles.
iam:CreateServiceSpecificCredential	Owner
iam:CreateUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateVirtualMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeactivateMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccountAlias	Owner	Owners can manage the AWS account alias.
iam:DeleteAccountPasswordPolicy	Owner
iam:DeleteGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteLoginProfile	Whitelist	Optionally Owners can manage passwords for custom users. Management of Guardrails users is explicitly denied. Deletion of the login profile is always allowed so user deletion in the IAM console works.
iam:DeleteOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:DeletePolicy	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeletePolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeleteRole	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteRolePermissionsBoundary	Owner	Owners can delete permission boundary.
iam:DeleteRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:DeleteSSHPublicKey	Owner	Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:DeleteServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:DeleteServiceLinkedRole	Owner
iam:DeleteServiceSpecificCredential	Owner
iam:DeleteSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
iam:DeleteUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteUserPermissionsBoundary	Owner
iam:DeleteUserPermissionsBoundary	Owner	Owners can delete permission boundary.
iam:DeleteUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteVirtualMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DetachGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DetachRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DetachUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:EnableMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:GenerateCredentialReport	Metadata
iam:GenerateOrganizationsAccessReport	Owner
iam:GenerateServiceLastAccessedDetails	Metadata
iam:GetAccessKeyLastUsed	Metadata
iam:GetAccountAuthorizationDetails	Metadata
iam:GetAccountPasswordPolicy	Metadata
iam:GetAccountSummary	Metadata
iam:GetContextKeysForCustomPolicy	Metadata
iam:GetContextKeysForPrincipalPolicy	Metadata
iam:GetCredentialReport	Metadata
iam:GetGroup	Metadata
iam:GetGroupPolicy	Metadata
iam:GetInstanceProfile	Metadata
iam:GetLoginProfile	Metadata
iam:GetOpenIDConnectProvider	Metadata
iam:GetOrganizationsAccessReport	Metadata
iam:GetPolicy	Metadata
iam:GetPolicyVersion	Metadata
iam:GetRole	Metadata
iam:GetRolePolicy	Metadata
iam:GetSAMLProvider	Metadata
iam:GetSSHPublicKey	Metadata
iam:GetServerCertificate	Metadata
iam:GetServiceLastAccessedDetails	Metadata
iam:GetServiceLastAccessedDetailsWithEntities	Metadata
iam:GetServiceLinkedRoleDeletionStatus	Metadata
iam:GetUser	Metadata
iam:GetUserPolicy	Metadata
iam:ListAccessKeys	Metadata
iam:ListAccountAliases	Metadata
iam:ListAttachedGroupPolicies	Metadata
iam:ListAttachedRolePolicies	Metadata
iam:ListAttachedUserPolicies	Metadata
iam:ListEntitiesForPolicy	Metadata
iam:ListGroupPolicies	Metadata
iam:ListGroups	Metadata
iam:ListGroupsForUser	Metadata
iam:ListInstanceProfileTags	Metadata
iam:ListInstanceProfiles	Metadata
iam:ListInstanceProfilesForRole	Metadata
iam:ListMFADeviceTags	Metadata
iam:ListMFADevices	Metadata
iam:ListOpenIDConnectProviderTags	Metadata
iam:ListOpenIDConnectProviders	Metadata
iam:ListPolicies	Metadata
iam:ListPoliciesGrantingServiceAccess	Metadata
iam:ListPolicyTags	Metadata
iam:ListPolicyVersions	Metadata
iam:ListRolePolicies	Metadata
iam:ListRoleTags	Metadata	Lists the tags on an IAM user.
iam:ListRoles	Metadata
iam:ListSAMLProviderTags	Metadata
iam:ListSAMLProviders	Metadata
iam:ListSSHPublicKeys	Metadata
iam:ListServerCertificateTags	Metadata
iam:ListServerCertificates	Metadata
iam:ListServiceSpecificCredentials	Metadata
iam:ListSigningCertificates	Metadata
iam:ListUserPolicies	Metadata
iam:ListUserTags	Metadata	Lists the tags on an IAM role.
iam:ListUsers	Metadata
iam:ListVirtualMFADevices	Metadata
iam:PassRole	Owner	Owner needs PassRole to allow creation of IAM roles for EC2. This also whitelists it for others to be granted specifically by services. PassRole for Guardrails roles is explicitly denied.
iam:PutGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:PutRolePermissionsBoundary	Owner	Owners can add permission boundary.
iam:PutRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:PutUserPermissionsBoundary	Owner	Owners can add permission boundary.
iam:PutUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:RemoveClientIDFromOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:RemoveRoleFromInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:RemoveUserFromGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:ResetServiceSpecificCredential	Owner
iam:ResyncMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:SetDefaultPolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:SetSecurityTokenServicePreferences	Owner
iam:SimulateCustomPolicy	Metadata	Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:SimulatePrincipalPolicy	Metadata	Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:TagInstanceProfile	Operator
iam:TagMFADevice	Operator
iam:TagOpenIDConnectProvider	Operator
iam:TagPolicy	Operator
iam:TagRole	Operator	Creates or modifies the tags on an IAM user.
iam:TagSAMLProvider	Operator
iam:TagServerCertificate	Operator
iam:TagUser	Operator	Creates or modifies the tags on an IAM role.
iam:UntagInstanceProfile	Operator
iam:UntagMFADevice	Operator
iam:UntagOpenIDConnectProvider	Operator
iam:UntagPolicy	Operator
iam:UntagRole	Operator	Removes the tags on an IAM user.
iam:UntagSAMLProvider	Operator
iam:UntagServerCertificate	Operator
iam:UntagUser	Operator	Removes the tags on an IAM role.
iam:UpdateAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UpdateAccountPasswordPolicy	Owner
iam:UpdateAssumeRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:UpdateGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:UpdateLoginProfile	Whitelist	Optionally Owners can change passwords for custom users. Guardrails users are explicitly denied from managing passwords.
iam:UpdateOpenIDConnectProviderThumbprint	None	OpenID is not used in Guardrails accounts.
iam:UpdateRole	Owner	Updates the description or maximum session duration setting of a role.
iam:UpdateRoleDescription	Owner	Owners can modify the description of a role.
iam:UpdateSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:UpdateSSHPublicKey	Owner	Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UpdateServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UpdateServiceSpecificCredential	Owner
iam:UpdateSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
iam:UpdateUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UploadSSHPublicKey	Owner	Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UploadServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UploadSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
organizations:DescribeOrganization	Metadata
sts:AssumeRole	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithSAML	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithWebIdentity	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:DecodeAuthorizationMessage	Metadata	Users with access to Metadata are granted the ability to decode any authorization failure messages they receive. This aids troubleshooting and is appropriate given they already have access at a Metadata level.